Chapter 24 Β· Glossary

Watering Hole & Supply Chain Glossary

16 key terms for the exam.

Watering Hole Attack
Compromising a website frequented by targets, rather than attacking targets directly. Named after predators who wait at a watering hole for prey rather than hunting. Victims visit a legitimate, trusted site and get infected without clicking anything suspicious β€” simply visiting the page is enough. Bypasses email security, awareness training, and perimeter defenses entirely.
Drive-By Download
Malicious code that executes automatically when visiting a compromised webpage, without any user interaction beyond rendering the page in a browser. No download prompt, no click required. Exploits browser, plugin, or OS vulnerabilities. The malware installs and begins operating silently while the user reads the legitimate page content. Defeated by aggressive browser patching and remote browser isolation.
Exploit Kit
Automated toolkit that probes visiting browsers for known vulnerabilities and delivers appropriate exploits based on the detected configuration. Historically: Angler, RIG, Neutrino. Exploit kits fingerprint the visitor's browser, OS, and plugins; serve the highest-probability exploit for that specific configuration; and deliver a payload automatically on success. Sold and rented on criminal forums, continuously updated as new browser vulnerabilities are discovered.
Malvertising
Malicious code embedded in advertisements served through legitimate ad networks. Attackers either compromise an ad network or purchase ad space with malicious creative content. The ad renders on any website in the network's publisher inventory, delivering exploit code to visitors without the website owner's knowledge. Victims need only view the page. Ad blockers prevent malvertising by blocking third-party ad JavaScript from loading entirely.
Strategic Web Compromise (SWC)
Deliberate selection of a specific website known to be frequented by a targeted victim community, as opposed to opportunistic mass exploitation. Used by nation-state APT groups against defense contractors, government agencies, dissident communities, and critical infrastructure. Characterized by target profiling before site selection, and often by visitor fingerprinting to serve exploits only to visitors matching the target profile β€” making the compromise invisible to security researchers.
Island Hopping
Using a less-secure third party (vendor, MSP, partner, contractor) as a stepping stone to reach the actual high-value target. The "island" is the intermediate organization β€” often selected for its trusted network access to the primary target combined with weaker security posture. Classic example: 2013 Target breach β€” attackers compromised HVAC vendor Fazio Mechanical, pivoted through vendor credentials to Target's POS network, stole 40M credit cards.
Supply Chain Attack
Compromising software, hardware, or services upstream in the supply chain to affect downstream targets. Rather than attacking the target organization directly, the attacker compromises a component β€” software library, update mechanism, hardware component, managed service β€” that the target installs and trusts. One compromised upstream component can affect thousands of downstream organizations simultaneously.
SolarWinds SUNBURST
2020 supply chain attack in which Russian SVR (APT29/Cozy Bear) injected the SUNBURST backdoor into SolarWinds Orion IT monitoring software during the build process. The trojanized update was digitally signed with SolarWinds' legitimate certificate and distributed to approximately 18,000 customer organizations, including US Treasury, State Department, and DHS. SUNBURST was dormant 12–14 days post-install and used legitimate Orion protocols for C2 traffic to evade detection.
XZ Utils Backdoor (CVE-2024-3094)
2024 supply chain attack in which a malicious contributor ("JiaT75" / Jia Tan) spent approximately 2.5 years building trust as a contributor to the xz compression library before inserting a backdoor that would have enabled remote code execution via SSH on systemd-based Linux systems. Caught accidentally by Microsoft engineer Andres Freund who noticed SSH logins were 500ms slower than expected on a benchmarking system. Demonstrated that social engineering of open-source communities is a viable supply chain attack vector.
SBOM (Software Bill of Materials)
A machine-readable inventory of all software components, versions, and dependencies present in an application or system. Enables organizations to immediately identify whether they are affected when a component CVE is published β€” what would take days of manual inventory becomes a seconds-long query. CISA and Executive Order 14028 now require SBOMs for software sold to the US federal government. Analogy: the ingredient label on food β€” you know exactly what's in the product.
SCA (Software Composition Analysis)
Automated scanning of source code, build manifests, and binaries to identify known-vulnerable open-source components and dependencies. Runs continuously in CI/CD pipelines, flagging dependency CVEs as they are published. Complements SBOM: SCA generates and maintains the inventory; SBOM is the output format. Examples: Snyk, OWASP Dependency-Check, GitHub Dependabot, Black Duck.
Reproducible Builds
A build process designed so any third party can independently verify that the distributed compiled binary matches the published source code exactly β€” byte-for-byte. If an attacker injects code into the build pipeline (as in SolarWinds), a reproducible build check would detect a discrepancy between the source and the distributed binary. Provides independent verification that the distribution mechanism has not been tampered with.
Remote Browser Isolation (RBI)
Technology that executes all web browsing in a remote isolated container β€” a cloud or on-premise VM. Only rendered pixel streams are transmitted to the user's screen. JavaScript, exploits, and any drive-by malware execute inside the disposable container, which is destroyed after the session ends and has no access to the corporate network. Even a fully successful drive-by download cannot reach the user's endpoint or the corporate environment. Highly effective against watering hole attacks.
Third-Party Risk Management
Systematic assessment and ongoing monitoring of security risks introduced by vendors, suppliers, partners, and managed service providers. Includes: security posture assessment before granting access, contractual security requirements, network segmentation limiting vendor access to only required resources, mandatory MFA for vendor remote access, just-in-time access provisioning, and session logging. Addresses the island-hopping threat vector by treating every third party with network access as a potential compromise pivot point.
Browser Fingerprinting
Collecting browser and OS attributes β€” version, installed plugins, fonts, screen resolution, timezone, language settings β€” to identify individual users or to profile their specific vulnerable configuration. In watering hole and SWC attacks, fingerprinting is used both to serve targeted exploits matching the visitor's specific vulnerabilities and to filter out non-target visitors (serving exploits only to browsers matching corporate IP ranges or specific configurations while showing clean content to everyone else).
DNS Filtering
Blocking access to known malicious domains at the DNS resolution layer β€” before any TCP connection is established to the malicious server. Even after a successful drive-by download, deployed malware must reach its command-and-control server; DNS filtering severs that communication for known C2 infrastructure. Examples: Cisco Umbrella, Cloudflare Gateway, Infoblox. Low-friction control that applies uniformly to all devices and applications using the filtered DNS resolver.